问题
I have an MVC 3 site which is protected via Windows Authentication. However, there is a physical file at the root of the site, along with a controller action method (via a custom route), which need to be available without authenticating. What is the proper way to do this? I want the entire site protected without needing [Authorize] at the top of my controllers (or in a base controller class). On IIS 7, I have both Anonymous and Windows Authentication enabled at the site root.
Currently I have the following (applicable) sections in my Web.config:
<authentication mode="Windows" />
<location path="public.js"> <!-- physical file -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="public.gif"> <!-- custom route to action method -->
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If I don't put [Authorize] at the top of my controllers, I am never prompted for credentials. Do I just need a <deny users="?"/> somewhere, or is there a better way to approach this from the start?
Thanks!
回答1:
Authentication for controller actions must be handled by the [Authorize] attribute. The web.config settings only apply to physical files.
If you don't want to put the [Authorize] attribute on each controller, you could make a base controller class that includes the [Authorize] attribute. All controllers that inherit from this base controller class would automatically require authentication.
Personally, I don't find it that difficult to add the [Authorize] attribute manually to each controller and prefer the finer level of control.
来源:https://stackoverflow.com/questions/6836702/windows-authentication-mvc-proper-way-to-exclude-individual-file-route